Protection of Personal Information Act POPIA April 2021 PwC 3 Meet today’s team Rutendo Musasa Manager Centre of Excellence Khamiel Arendse Director Lauren Kleintjies Manager Andrea Benkenstein Senior Manager CoE Family Business Ivo Meyer Associate Director Email: [email protected]Tammy Marshman Moderator Email: [email protected]Charles Fischer Associate Director Email: [email protected]
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
1. Promote protection of personal information processed by public and private bodies.
2. Introduce conditions and establish minimum requirements.
3. Provide for establishment of an information regulator (incl. PAIA).
4. Provide for issuing of codes of conduct.
5. Provide for rights regarding unsolicited electronic communications and automated decision-making.
6. Regulate transborder flow of information.
Scope
It covers: enforcement, conditions, special information, Regulator, trans-border flows, automated decision-making and direct marketing.
When does it apply?• Public and private bodies.
• Natural and juristic persons.
• Automated and non-automated processing.
When does it not apply?• Household or personal use.
• De-identified data.
• Processed by Cabinet/ECs of provinces.
• Involves national security.
• Judicial functions.
• Journalistic, literary or artistic expression.
Consumer Protection Act
King III
Promotion of Access to Information Act
2001Constitution
1997
Electronic Communications and Transactions Act
2002
Regulation of Interception of
Communications and Provision of
Communication-related Information Act
2005
Remainder of sections of the Act enacted with 12 months grace to comply
Protection of Personal Information Act signed into law
National Credit Act
2006
2010
2011
2013
2020 - July
Brief overview of POPIA
PwC
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;(b) information relating to the education or the medical, financial, criminal or employment history of the person;(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;(d) the biometric information of the person;(e) the personal opinions, views or preferences of the person;(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;(g) the views or opinions of another individual about the person; and(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”
8
Privacy basics - What is personal information?
PwC
‘‘data subject’’ means the person to whom personal information relates, and can be a natural or juristic person
9
Privacy basics - Who is the data subject?
PwC
10
Individual’s rights and obligations
There needs to be balance of interests with respect to collection,
use, disclosure and disposal of personal information.
Organisation’s rights and obligations
Privacy basics - Data privacy - A balance of rights
PwC
11
Responsible Party
Operator
Privacy basics - Who is regulated?
PwC
Key insight:An organisation need to determine the circumstances in which it is a Responsible Party, and
when it is an Operator.
12
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including -(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;(b) dissemination by means of transmission, distribution or making available in any other form; or(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
Create and collect
Use and analyse Share and transfer
Store and archive
Maintain and update
Destroy and erase
Information lifecycle
Privacy basics - What is processing?
PwC
Key insight:Principle of ‘reasonableness’ will apply.
13
POPIA prescribes eight conditions for the lawful processing of personal information:
Purpose specificationPersonal information may only be processed for specific, explicitly defined and legitimate reasons.
AccountabilityThe organisation has measures in place to ensure that it complies with the requirements of POPIA.
Processing limitationPersonal information may only be processed in a fair and lawful manner.
Further processing limitation Personal information may not be processed for a secondary purpose unless that is compatible with the original purpose.
Data subject participation Data subjects’ rights to access, update, correct, and delete their personal information must be upheld.
Information qualityPersonal information must be accurate, complete and up to date.
OpennessThe organisation provides adequate notice regarding its processing activities.
Security safeguardsPersonal information must be protected against the risk of loss, unauthorised access, interference, modification, destruction and disclosure.
Lawful processing of information
PwC
14
POPIA creates special obligations for the processing of specific types of data or the performance of particular processing activities that organisations will need to consider.
Processing special personal information (including race, health, sexual orientation, biometric information etc.) requires extra vigilance.
Cross-border transfers of personal information (i.e.
the transfer of personal information from South
Africa to another country) require additional
protection measures.
Direct marketing (electronic and unsolicited) requires organisations to
have measures in place for data subjects to opt-in and
opt-out.
Processing the personal information of children (under
18 years) requires the informed consent of a competent person
(e.g. parent) to be obtained.
Direct marketing
Children’s personal information
Sp
ecia
l per
son
al
info
rma
tion
Cross-bord
er tran
sfers
Special processing requirements
PwC
15
A data subject may not be subject to a decision which results in legal consequences or which affects him, her or it to a substantial degree, based solely on the basis of automated processing of personal information intended to provide a profile of such a person.
Exceptions:
In connection with the conclusion or execution of a contract where the request of the data subject in terms of the contract have been met or measures to protect the legitimate interests of data subjects have been taken;
or
Where such processing is governed by a law or code of conduct that protects the legitimate interests of data subjects.
Automated decision-making
PwC
16
Financial fines(up to R10 million per breach)
Imprisonment(up to 10 years)
Reputational damageLoss of customers
and employees(and failing to attract new ones)
Civil liability claims Enforcement notices
What happens if you do not comply?
PwC
17
Profile Description Problem statements
The ostrichIgnored POPIA until now and was hoping it would never be announced. Now is in a state of panic.
Doesn’t understand the applicability of POPI and the implications of implementing the requirements.
The woodpeckerLooking for a quick fix and wants to use templates to do the minimum to be compliant.
Typically thinks that implementing POPIA can be done through templates only might not ensure compliance.
The eight-eyed spiderDisjointed program without a central coordinated approach to ensure initiatives are aligned.
Can be wasting time by not following a risk-based and structured approach. Needs a clear roadmap.
The clever owlKnows what is required but doesn’t know how to implement it.
Laid the foundations for privacy but followed a theoretical approach and doesn’t know how to operationalise and make compliance sustainable.
The blind moleTasked either IT or Legal to run with it without involving the rest of the business.
Doesn’t know it has a problem and is overconfident. Needs to consider people, process and technology as part of implementation
The octopusOperating in multi-jurisdictions. Doesn’t know which regulation to comply with. Needs to
do a proper mapping and prioritise relevant legislation to comply with first, based on risk assessment.
Readiness profile of your organisation
PwC
The POPIA compliance journey
PwC 18
Understand the applicability of the law
01Classify and map your personal data
03 05Ensure purpose and limitation
02Ensure accountability
Ensure openness
Ensure data subject rights
04 06
07Data breach management
09Management of personal data with data quality
Data security safeguards
0810Further processing with care
The POPIA compliance journey
PwC 19
What should your priorities be for the next three months?• Define what ‘material compliance’ means to you, e.g.
- Review your POPIA compliance risks.- Distinguish between mandatory requirements according to POPIA vs
good practices.- Go manual; you can later automate and look for efficiency in
processes.• Review your implementation plan, and reprioritise implementation
activities and information assets in scope, if necessary.
• Get your internal auditors involved early on to test effectiveness of measures implemented to date and help guide with priorities.
Accelerators for implementing POPIA
PwC 20
What can you do if you have not yet started?• Depending on the size and complexity of your business accept that you will not be
‘materially’ compliant by 30 June.• You can’t ignore POPIA; you might as well start now.• Develop a medium to longer-term implementation plan, even if surpasses 30 June.• For next 3 months prioritise POPIA requirements in highest risk areas/information assets
• Update policies, forms and websites with POPIA clauses.• Put measures in place to prevent a data breach.• Register an Information Officer • Provide for POPIA awareness training.• Stop collecting PI that you don’t need.• Put contracts in place with key third-party operators.
Accelerators for implementing POPIA
PwC 21
Thank you
“The information contained in this publication by PwC is provided for discussion purposes only and is intended to provide the reader or his/her entity with general information of interest. The information is supplied on an “as is” basis and has not been compiled to meet the reader’s or his/her entity’s individual requirements. It is the reader’s responsibility to satisfy him or her that the content meets the individual or his/ her entity’s requirements. The information should not be regarded as professional or legal advice or the official opinion of PwC. No action should be taken on the strength of the information without obtaining professional advice. Although PwC take all reasonable steps to ensure the quality and accuracy of the information, accuracy is not guaranteed. PwC, shall not be liable for any damage, loss or liability of any nature incurred directly or indirectly by whomever and resulting from any cause in connection with the information contained herein.”